Who is the Signer??

[victorpng]

Hi all,

How do i know who sign a particular application? I can change the name of the developer and everytime i sign an application, it gave me a different hash compared to the previous application that i signed. So my question is how do you know who signed the application? It is very important in the case of blackberry where the signing tool can be purchased with just $20.

Any reply and comment is appreciated.

Thanks,
Victor

[simon.hain]

RIM will know who signed what, i guess.

[victorpng]

Quote:

Originally Posted by simon.hain

RIM will know who signed what, i guess.

Yap. That's true. But if you were to download a paypal application which handle your transactions, will you not want to know if it is really paypal who develop the application instead of some hacker who tried to clone the application and trick you to download? That is the security I wish to provide for the end-user.

[lePin]

Quote:

Originally Posted by victorpng

Yap. That's true. But if you were to download a paypal application which handle your transactions, will you not want to know if it is really paypal who develop the application instead of some hacker who tried to clone the application and trick you to download? That is the security I wish to provide for the end-user.

I think you misunderstood the signature meaning. Did you read this?
Code signing does not identify the developer - it just lets user be sure, that the code satisfies some security rules of RIM.

[victorpng]

Quote:

Originally Posted by lePin

I think you misunderstood the signature meaning. Did you read this?
Code signing does not identify the developer - it just lets user be sure, that the code satisfies some security rules of RIM.

Hi lepin,

I totally understand what you mean. The code signing only allows the developer to use certain API. But it doesn't mean the developer have to follow any code of conduct. He can still clone the whole paypal application, steal the id and password or even credit card no., send it through an sms or upload to a server as he has access to the API, and get the cash. If the user report that application, its just too late. Even if they know who the developer is, it just take too long.

Blackberry has a very good history of security. You can even wipe off the whole phone remotely if it is lost. But for this case, I really hope something can be done. Attached below is the reply from Blackberry Support, enjoy:

-------------------------------------------------------------
1st email reply

Information on who signed a cod file is not publicly available, however RIM does have the ability to determine who signed a cod file.

--------------------------------------------------------------
2nd email reply

There isn't any other way to identify who signed an application.

Signing from a carrier can be used to control the security prompts shown to a user. This could also be used to identify the developer, however support for these items varies between carriers. There are libraries in the BlackBerry API set that are licensed from Certicom. In order to use those libraries, your application needs to be signed with a key from Certicom. It works similar to the signature keys issued from RIM.

There are 2 types of prompts you can received. Application Control prompts are shown based on the user's setting under Options, Advanced Options, Applications and then Edit Permissions from the menu. This can also be set by a BlackBerry Enterprise Server administrator. Your application can use the ApplicationPermissions class to request a change to these.

The second type of prompt applies to MIDlets only (not BlackBerry CLDC applications). These are based on the MIDP domains the carrier has configured. You would need to speak with the carrier to find out their settings and if they have a way of bypassing them (such as by signing your application).

Please note that further support will require the purchase of a development support incident.

-----------------------------------------------------------